http-probing Configuration

« http-probing »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1

Detect site scanning/probing from a single ip

Installation

cscli scenarios install crowdsecurity/http-probing

Description

Take remediation against a single IP that requires multiple different (http path) pages that end up in 404/403/400.

Leakspeed of 10s, capacity of 10.

YAML Configuration

1# 404 scan
2type: leaky
3#debug: true
4name: crowdsecurity/http-probing
5description: "Detect site scanning/probing from a single ip"
6filter: "evt.Meta.service == 'http' && evt.Meta.http_status in ['404', '403', '400'] && evt.Parsed.static_ressource == 'false'"
7groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
8distinct: "evt.Meta.http_path"
9capacity: 10
10reprocess: true
11leakspeed: "10s"
12blackhole: 5m
13labels:
14  remediation: true
15  classification:
16    - attack.T1595
17  behavior: "http:scan"
18  label: "HTTP Probing"
19  spoofable: 0
20  service: http
21  confidence: 1
22

Hub configuration

« http-probing »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1

« http-probing »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:1